By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: ExostarPublished November 24, 2025

TL;DR: CMMC 2.0 entered enforcement on November 10, 2025, and DoD contractors handling FCI or CUI now need to demonstrate the right maturity level through self-assessment, third-party assessment, and current SPRS evidence, according to Exostar. The compliance question has shifted from whether controls exist to whether they are operationalised, documented, and sustainable over time.


At a glance

What this is: CMMC 2.0 now links cybersecurity maturity to DoD contract eligibility, with Level 1, 2, and 3 requirements tied to FCI, CUI, and advanced persistent threat resistance.

Why it matters: For IAM, PAM, and broader security teams, the message is that governance, evidence quality, and control repeatability now matter as much as the controls themselves when access to sensitive government data is in scope.

By the numbers:

👉 Read Exostar's blog on CMMC maturity levels and DoD contract eligibility


Context

CMMC 2.0 is a governance model for proving cybersecurity maturity, not just a checklist for passing an assessment. In this article, the primary issue is how DoD contractors must now show that controls are documented, repeatable, and current enough to support contract eligibility, especially where FCI and CUI are involved.

The identity and access angle is real even though the article is framed as compliance: mature CMMC programmes depend on accountable access management, evidence for control operation, and sustainable processes for privileged users, service accounts, and subcontractor access. That makes the topic relevant to IAM, PAM, and NHI governance teams that support regulated environments.

The article’s starting position is typical for defence suppliers that have treated compliance as a periodic exercise. The enforcement change makes that posture increasingly inadequate.


Key questions

Q: What breaks when CMMC maturity is treated as a paperwork exercise?

A: Treating CMMC as paperwork creates stale evidence, inconsistent control operation, and weak accountability across teams and suppliers. That approach fails when assessors ask whether controls are repeatable and current, not merely documented. Organisations then discover that passing an assessment depends on operational discipline, not isolated documentation bursts.

Q: Why do IAM and privileged access controls matter in CMMC programmes?

A: IAM and privileged access controls matter because they shape whether security processes remain effective between assessments. If access reviews, offboarding, and privileged account oversight are weak, the organisation cannot credibly claim its controls are repeatable. In practice, identity governance is part of the evidence base for maturity, not a separate administrative task.

Q: How do organisations know if their CMMC programme is actually working?

A: A working CMMC programme produces current SPRS data, complete SSPs, tracked remediation, and consistent control ownership across teams. If those artefacts drift out of date or differ by department, the programme is not mature. The best signal is whether the organisation can sustain evidence quality without scrambling before assessment.

Q: Who is accountable when CMMC gaps remain open past the remediation window?

A: Accountability sits with the control owner, programme lead, and executive sponsor who accepted the gap. Because POA&Ms are time-bound, unresolved items should be escalated through formal risk governance rather than left open indefinitely. For regulated defence work, indefinite exception management is a maturity failure, not a temporary inconvenience.


Technical breakdown

How CMMC maturity maps to control governance

CMMC 2.0 turns cybersecurity into a maturity model with three levels, each tied to different data sensitivity and assurance expectations. Level 1 covers basic safeguards for FCI, Level 2 requires the full NIST SP 800-171 control set for CUI, and Level 3 adds protections aimed at advanced persistent threats. The important technical shift is that assessment is no longer only about whether a control exists. It is about whether it is documented, consistently applied, and supported by repeatable processes across the environment.

Practical implication: teams need control ownership, evidence collection, and review cadence to match the level required in the contract.

Why SPRS, SSPs, and POA&Ms are now operational controls

SPRS, System Security Plans, and Plans of Action and Milestones are not paperwork add-ons in CMMC. They are the operating record that shows whether an organisation knows its current score, the state of its controls, and which gaps remain open. That matters because CMMC maturity is judged over time, not at a single point. Limited POA&M use also means unresolved gaps cannot become permanent exceptions, which changes how organisations track remediation and governance.

Practical implication: maintain continuously updated evidence and treat remediation deadlines as control obligations, not administrative tasks.

Where identity governance and NHI control support CMMC readiness

The identity layer underpins much of the evidence CMMC expects, even when the standard is not written as an identity framework. Access control, privileged access governance, and account lifecycle management all influence whether controls stay effective between assessments. In practice, stale privileges, unmanaged service accounts, and inconsistent offboarding create the kind of drift that weakens repeatability. That is why IAM and NHI programmes become part of maturity, not a separate initiative.

Practical implication: align access reviews, privileged access controls, and non-human identity lifecycle management to the CMMC evidence model.


Threat narrative

Attacker objective: The attacker objective is to steal or disrupt access to FCI or CUI in ways that damage supply chain trust and create downstream national security risk.

  1. Entry occurs when contractors or suppliers fail to sustain basic cybersecurity hygiene, allowing attackers to target weakly governed environments that process FCI or CUI. Escalation follows when access, documentation, or oversight gaps let an intruder move from one system or supplier relationship into broader sensitive data paths. Impact is the exfiltration or compromise of government-related information that undermines contract eligibility and mission trust.

NHI Mgmt Group analysis

CMMC maturity is becoming an evidence problem, not only a control problem. The article correctly frames maturity as repeatability, documentation, and operational consistency, which is where many programmes fail in practice. That shifts the burden from one-time compliance projects to sustained governance. For practitioners, the real question is whether control operation can be proven continuously, not whether the control exists on paper.

Identity governance is a hidden dependency of CMMC readiness. CMMC may be written as a cyber compliance regime, but the repeatability it demands depends on access review, privileged access discipline, and service account control. Stale accounts and weak offboarding undermine the credibility of every assessment artifact that claims a control is effective. Practitioners should treat IAM and NHI hygiene as part of the maturity baseline.

Time-bound remediation changes the economics of exception management. The article’s POA&M discussion reflects a broader shift away from indefinite deferral of control gaps. Once exceptions have expiry, governance teams need tighter prioritisation and clearer risk acceptance paths. Practitioners should expect fewer tolerated gaps and more pressure to show closure discipline.

CMMC is converging with broader zero trust and supplier-risk expectations. The article links maturity to resilience and to the DoD’s wider cyber strategy, which means organisations will be judged on how well they manage access, segmentation, and evidence across the supply chain. That makes CMMC a governance signal beyond defence contracts. Practitioners should align contract readiness with broader access and supplier assurance programmes.

Defined process maturity is now part of competitive eligibility in defence supply chains. The companies most likely to avoid friction will be those that can show consistent control operation, accurate SPRS records, and audit-ready evidence across internal and subcontracted environments. This is less about certification theatre and more about operational trust. Practitioners should treat maturity as a bid-enablement capability.

What this signals

Control evidence will increasingly matter more than control intent. CMMC enforcement pushes programmes toward continuous proof, which means the teams that win are the ones that can produce current records, not just policy statements. For identity and access teams, that means access reviews, privileged account governance, and offboarding evidence need to be machine-collectable and audit-ready.

As supplier assurance tightens, identity lifecycle drift becomes a contract risk. Defence contractors that cannot show who has access, why they have it, and when it will be removed will struggle to sustain eligibility across complex supplier chains. The operational answer is tighter governance of human and non-human access paths, backed by traceable evidence.

SPRS quality will become a leading indicator of programme maturity. If the score is disconnected from real control status, the organisation is building assessment risk into the business. Practitioners should expect more scrutiny of evidence freshness, remediation closure, and access governance across internal and external users.


For practitioners

  • Confirm the required CMMC level for each contract Map each DoD solicitation to the applicable level before work begins, then align internal control scope, evidence collection, and assessment planning to that requirement.
  • Keep SPRS scores and evidence current Refresh SPRS inputs, System Security Plans, and remediation records on a recurring cadence so the score reflects the current control state rather than a stale assessment snapshot.
  • Tighten POA&M governance Track every POA&M to a named owner, expiry date, and closure path, and escalate items that cannot be resolved within the limited time window permitted under CMMC.
  • Bind IAM and NHI controls to assessment evidence Link access reviews, privileged account reviews, service account ownership, and offboarding records directly to the artefacts used for CMMC assurance.
  • Coordinate subcontractor readiness early Require suppliers and subcontractors to show their own maturity status and evidence flow before contract execution, especially where CUI handling spans multiple sites or teams.

Key takeaways

  • CMMC 2.0 is no longer a future-state policy discussion.** It now affects contract eligibility, so maturity, evidence, and accountability are operational requirements.
  • The biggest failure mode is not missing controls but unproven controls.** If the organisation cannot show repeatability, current SPRS data, and disciplined POA&M management, it is not ready.
  • Identity governance sits underneath the compliance story.** Access reviews, privileged access, and non-human identity controls determine whether CMMC evidence remains credible over time.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, while ISO/IEC 27001:2022 and GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1CMMC maturity depends on controlled access and accountability across systems.
NIST SP 800-53 Rev 5AC-2Account management is central to sustained control operation in CMMC programmes.
CIS Controls v8CIS-5 , Account ManagementAccount management is a practical control layer for CMMC evidence and repeatability.
ISO/IEC 27001:2022A.5.15Access control governance supports the documented maturity CMMC expects.
GDPRGDPR is not directly triggered by this defence-only compliance topic.

Use CIS-5 to structure ownership, review, and deprovisioning across human and non-human accounts.


Key terms

  • CMMC Maturity Level: A CMMC maturity level is the assessed state an organisation must meet to handle specific categories of defence information. Each level increases the expectations for control scope, documentation, and repeatability, with higher levels demanding stronger oversight and evidence that security processes work consistently over time.
  • SPRS: Supplier Performance Risk System is the DoD repository used to record and reference contractor cybersecurity scores and related compliance status. In practice, it becomes part of the governance record, so a stale or inaccurate SPRS entry can create contract and assessment risk even when some controls are in place.
  • POA&M: A Plan of Action and Milestones is a tracked record of known security gaps, their owners, and the steps required to close them. In mature programmes, POA&Ms are temporary remediation vehicles, not permanent exceptions, and their aging directly affects how credible the overall control environment appears.

What's in the full article

Exostar's full blog covers the operational detail this post intentionally leaves for the source:

  • How the CMMC Final Rule maps to Level 1, 2, and 3 assessment expectations across DoD solicitations.
  • How the Certification Assistant calculates SPRS scores and structures SSP and POA&M workflows.
  • How Managed Microsoft 365 and GCC High handling support CUI-related operating requirements.
  • How the dashboards present compliance status across teams, suppliers, and contracts.

👉 The full Exostar post covers the Level 1 to Level 3 requirements, SPRS updates, and CMMC readiness guidance.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It gives practitioners a practical foundation for connecting identity controls to broader security and compliance programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org